On Fri, May 29, 2020 at 12:07:45PM +0800, we...@ucloud.cn wrote:
> From: wenxu <we...@ucloud.cn>
>
> Currently add nat mangle action with comparing invert and ori tuple.
> It is better to check IPS_NAT_MASK flags first to avoid non necessary
> memcmp for non-NAT conntrack.
>
> Signed-off-by: wenxu <we...@ucloud.cn>
> ---
> net/sched/act_ct.c | 19 +++++++++++++------
> 1 file changed, 13 insertions(+), 6 deletions(-)
>
> diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
> index c50a86a..d621152 100644
> --- a/net/sched/act_ct.c
> +++ b/net/sched/act_ct.c
> @@ -198,18 +198,21 @@ static int tcf_ct_flow_table_add_action_nat(struct net
> *net,
> struct flow_action *action)
> {
> const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
> + bool nat = ct->status & IPS_NAT_MASK;
> struct nf_conntrack_tuple target;
[A]
>
> nf_ct_invert_tuple(&target, &ct->tuplehash[!dir].tuple);
>
> switch (tuple->src.l3num) {
> case NFPROTO_IPV4:
> - tcf_ct_flow_table_add_action_nat_ipv4(tuple, target,
> - action);
> + if (nat)
Why do the same check multiple times, on all actions? As no other
action is performed if not doing a nat, seems at [A] above, it could
just:
if (!nat)
return 0;
> + tcf_ct_flow_table_add_action_nat_ipv4(tuple, target,
> + action);
> break;
> case NFPROTO_IPV6:
> - tcf_ct_flow_table_add_action_nat_ipv6(tuple, target,
> - action);
> + if (nat)
> + tcf_ct_flow_table_add_action_nat_ipv6(tuple, target,
> + action);
> break;
> default:
> return -EOPNOTSUPP;
> @@ -217,10 +220,14 @@ static int tcf_ct_flow_table_add_action_nat(struct net
> *net,
>
> switch (nf_ct_protonum(ct)) {
> case IPPROTO_TCP:
> - tcf_ct_flow_table_add_action_nat_tcp(tuple, target, action);
> + if (nat)
> + tcf_ct_flow_table_add_action_nat_tcp(tuple, target,
> + action);
> break;
> case IPPROTO_UDP:
> - tcf_ct_flow_table_add_action_nat_udp(tuple, target, action);
> + if (nat)
> + tcf_ct_flow_table_add_action_nat_udp(tuple, target,
> + action);
> break;
> default:
> return -EOPNOTSUPP;
> --
> 1.8.3.1
>
